update link_subset test, to include child x

tests/regression/subdomain/link_subset.c

@@ -27,24 +27,27 @@
 #define AA_MAY_LOCK			0x0020
 #define AA_MAY_MOUNT			0x0040
 #define AA_EXEC_MMAP			0x0080
+
 #define AA_EXEC_UNSAFE			0x0100
+#define AA_EXEC_INHERIT			0x0200
 
-#define AA_EXEC_MOD_0			0x0200
-#define AA_EXEC_MOD_1			0x0400
-#define AA_EXEC_MOD_2			0x0800
+#define AA_EXEC_MOD_0			0x0400
+#define AA_EXEC_MOD_1			0x0800
+#define AA_EXEC_MOD_2			0x1000
+#define AA_EXEC_MOD_3			0x2000
 
-#define AA_EXEC_MODIFIERS		(AA_EXEC_MOD_0 | \
-					 AA_EXEC_MOD_1 | \
-					 AA_EXEC_MOD_2)
+#define AA_EXEC_MODIFIERS		(AA_EXEC_MOD_0 | AA_EXEC_MOD_1 | \
+					 AA_EXEC_MOD_2 | AA_EXEC_MOD_3)
 
-#define AA_EXEC_BITS (AA_MAY_EXEC | AA_EXEC_MODIFIERS | AA_EXEC_UNSAFE)
+
+#define AA_EXEC_TYPE (AA_MAY_EXEC | AA_EXEC_UNSAFE | AA_EXEC_INHERIT | \
+		      AA_EXEC_MODIFIERS)
 
 #define AA_EXEC_UNCONFINED AA_EXEC_MOD_0
-#define AA_EXEC_INHERIT    AA_EXEC_MOD_1
-#define AA_EXEC_PROFILE    (AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
-#define AA_EXEC_PIX        AA_EXEC_MOD_2
+#define AA_EXEC_PROFILE    AA_EXEC_MOD_1
+#define AA_EXEC_LOCAL     (AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
 
-#define MAX_PERM (AA_EXEC_MOD_2 << 1)
+#define MAX_PERM (AA_EXEC_MOD_2)
 #define MAX_PERM_LEN 10
 
 
@@ -66,9 +69,9 @@ int valid_link_perm_subset(int tperm, int lperm)
 		return 1;
 
 	/* ix implies mix */
-	if ((lperm & AA_EXEC_MODIFIERS) == AA_EXEC_INHERIT)
+	if (lperm & AA_EXEC_INHERIT)
 		lperm |= AA_EXEC_MMAP;
-	if ((tperm & AA_EXEC_MODIFIERS) == AA_EXEC_INHERIT)
+	if (tperm & AA_EXEC_INHERIT)
 		tperm |= AA_EXEC_MMAP;
 
 	/* w implies a */
@@ -83,11 +86,11 @@ int valid_link_perm_subset(int tperm, int lperm)
 //		tperm |= AA_EXEC_UNSAFE;
 
 	/* treat safe exec as subset of unsafe exec */
-//	if (!(lperm & AA_EXEC_UNSAFE))
-//		lperm |= AA_EXEC_UNSAFE & tperm;
+	if (!(lperm & AA_EXEC_UNSAFE))
+		lperm |= AA_EXEC_UNSAFE & tperm;
 
 	/* check that exec mode, if present, matches */
-	if ((lperm & AA_MAY_EXEC) && ((lperm & AA_EXEC_BITS) != (tperm & AA_EXEC_BITS)))
+	if ((lperm & AA_MAY_EXEC) && ((lperm & AA_EXEC_TYPE) != (tperm & AA_EXEC_TYPE)))
 		return 0;
 
 	return !(lperm & ~tperm);
@@ -111,33 +114,32 @@ void permstring(char *buffer, int mask)
 			case AA_EXEC_UNCONFINED:
 				*b++ = 'u';
 				break;
-			case AA_EXEC_PIX:
-				*b++ = 'p';
-				/* fall through */
-			case AA_EXEC_INHERIT:
-				*b++ = 'i';
-				break;
 			case AA_EXEC_PROFILE:
 				*b++ = 'p';
 				break;
+			case AA_EXEC_LOCAL:
+				*b++ = 'c';
+				break;
+			default:
+				*b++ = 'y';
 			}
 		} else {
 			switch(mask & AA_EXEC_MODIFIERS) {
 			case AA_EXEC_UNCONFINED:
 				*b++ = 'U';
 				break;
-			case AA_EXEC_PIX:
-				*b++ = 'P';
-				*b++ = 'i';
-				break;
-			case AA_EXEC_INHERIT:
-				*b++ = 'I';
-				break;
 			case AA_EXEC_PROFILE:
 				*b++ = 'P';
 				break;
+			case AA_EXEC_LOCAL:
+				*b++ = 'C';
+				break;
+			default:
+				*b++ = 'Y';
 			}
 		}
+		if (mask & AA_EXEC_INHERIT)
+			*b++ = 'i';
 		*b++ = 'x';
 	}
 	if (mask & AA_MAY_LINK)
@@ -156,19 +158,22 @@ void build_filename(const char *name, int perm, char *buffer)
 }
 
 int is_valid_perm_set(int perm) {
-	if (AA_EXEC_BITS & perm) {
+	if (AA_EXEC_TYPE & perm) {
 		/* exec mods need the perm bit set */
 		if (!(perm & AA_MAY_EXEC))
 			return 0;
-		if (!(perm & AA_EXEC_MODIFIERS))
+
+		/* unconfined can't inherit */
+		if (((perm & AA_EXEC_MODIFIERS) == AA_EXEC_UNCONFINED) &&
+		    (perm & AA_EXEC_INHERIT))
 			return 0;
 
 		/* no such thing as an unsafe ix */
-		if ((perm & AA_EXEC_MODIFIERS) == AA_EXEC_INHERIT && (perm & AA_EXEC_UNSAFE))
+		if ((perm & AA_EXEC_MODIFIERS) == 0 && (perm & AA_EXEC_INHERIT) && (perm & AA_EXEC_UNSAFE))
 			return 0;
 
 		/* check exec_modifiers in range */
-		if (!((perm & AA_EXEC_MODIFIERS) > 0 && (perm & AA_EXEC_MODIFIERS) < AA_EXEC_PIX +1))
+		if (!((perm & AA_EXEC_MODIFIERS) > 0 && (perm & AA_EXEC_MODIFIERS) < AA_EXEC_MOD_2))
 			return 0;
 	}
 	/* only 1 of append or write should be set */